On the Construction of Lightweight Circulant Involutory MDS Matrices
|
|
- Aron Francis
- 6 years ago
- Views:
Transcription
1 On the Construction of Lightweight Circulant Involutory MDS Matrices Yongqiang Li a,b, Mingsheng Wang a a. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China b. Science and Technology on Communication Security Laboratory, Chengdu, China yongq.lee@gmail.com wangmingsheng@iie.ac.cn Abstract. In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. The key contribution of the present paper is constructing MDS matrices with entries in the set of m m non-singular matrices over F 2 directly, and the linear transformations we used to construct MDS matrices are not assumed pairwise commutative. With this method, it is shown that circulant involutory MDS matrices, which have been proved do not exist over the finite field F 2 m, can be constructed by using non-commutative entries. Some constructions of 4 4 and 5 5 circulant involutory MDS matrices are given when m = 4, 8. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. Furthermore, some lower bounds on XORs that required to evaluate one row of circulant and Hadamard MDS matrices of order 4 are given when m = 4, 8. Some constructions achieving the bound are also given, which have fewer XORs than previous constructions. Keywords: MDS matrix, circulant involutory matrix, Hadamard matrix, lightweight 1 Introduction Linear diffusion layer is an important component of symmetric cryptography which provides internal dependency for symmetric cryptography algorithms. The performance of a diffusion layer is measured by branch number. Using a diffusion layer with bigger branch number in cryptography provides better resistance to differential and linear attack. As for lightweight cryptography, which is aiming to provide security in a limited resource environment, the cost of implementing an linear diffusion layer is also of importance. With the rapid development of lightweight cryptography, it is of particular interest to investigate the problem of constructing lightweight linear diffusion with bigger branch number. c IACR This paper is an extended version in FSE More examples of circulant involutory MDS matrices are given in the appendix.
2 A linear diffusion layer is a linear transformation over (F m 2 ) n, where m is the bit length of an S-box and n is the number of S-boxes that the linear diffusion layer acts on. Note that every linear transformation can be represented by a matrix, then a linear diffusion layer is often represented by a n n matrix and the entries can be viewed as linear transformations over F m 2. The maximum branch number of a n n matrix over (F m 2 ) n is n + 1. A linear diffusion layer with maximum branch number is called a perfect diffusion layers or a Maximal Distance Separable (MDS) matrix. An MDS matrix is a linear multipermutation [21]. A common way to construct MDS matrices is using MDS codes over finite fields. Multiplication with elements in finite fields is a basic operation in the evaluation of a matrix over finite fields. Usually, this operation is heavy in implementation. To improve its implementation efficiency, it is often constructing a matrix with fewer different elements of finite fields and choosing elements of finite fields with lower Hamming weight. Therefore, some matrices can be defined by fewer elements are preferred, such as circulant matrix and Hadamard matrix. The diffusion layer of AES is an typical example of this construction method. It is a 4 4 circulant MDS matrix over F 2 8. Another main method to construct lightweight MDS matrices is recursive construction. The main idea is that firstly constructing a linear transformation which is sparse and compact in implementation, and then composing it several times to get an MDS matrix. This method is first used in the design of Photon lightweight hash family [10] and LED lightweight block cipher [9], and then attracted lots of attentions. The method is extended by using linear transformations instead of multiplications of elements in finite fields in [19]. Then the work is improved by using linear transformations with fewer XORs in [22], where some extreme lightweight MDS matrices are given. A method is given to get rid of expensive symbolic computations of the above method for constructing larger recursive MDS matrices in [1]. The method is also further investigated in [12]. The construction of recursive MDS matrices also has a relation with coding theory. It is shown that recursive MDS matrices can be constructed from Gabidulin codes [4], and also can be obtained directly from shortened MDS cyclic codes [2]. However, a recursive MDS matrix may leads to high latency since it has to run several rounds to get outputs. Then how to construct lightweight MDS matrices without using recursive construction is an interesting problem needs further study. Some works revisit the method of constructing MDS matrices over finite fields by choosing elements whose multiplication s implementation efficiency can be further improved. Recently, it is shown that the choice of the irreducible polynomial used to compute multiplication with elements over finite fields has a great influence of the efficiency [18]. This property is further investigated in [20], where algorithms are designed to search lightweight MDS matrices with few XORs that required to evaluate one row of the corresponding matrix. Several constructions and their comparisons with previous constructions are also given in [20].
3 Our Contributions. In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. Note that multiplication with elements of the finite field F 2 m is only a special type of linear transformations over F m 2. Moreover, there exist many other linear transformations over F m 2 which can not be represented by multiplication with elements over F 2 m. Therefore, constructing matrices over the space of linear transformations over F m 2 may leads to new constructions of lightweight MDS matrices. In previous constructions, the entries used to construct MDS matrices are pairwise commutative, such as MDS matrices over finite fields, or assumed pairwise commutative, such as recursive MDS matrices with elements being linear transformations [19,22]. Note that a matrix over a commutative ring is nonsingular if and only if its determinant is a unity in the ring, then the assumption is convenient for charactering MDS matrices since the determinants of square sub-matrices can be computed. However, the restriction of choosing commutative linear transformations may lose MDS matrices with fewer XORs. Then we do not assume the linear transformations over F m 2 that used to construct MDS matrices are pairwise commutative in the present paper. The strategy we used to determine whether a construction is MDS is computing all its square sub-matrices rank. Then it is too complex to construct MDS matrices with larger order. In symmetric cryptography algorithms, the most often used S-boxes are 4-bit and 8-bit S-boxes, and it is often use diffusion layers of order 4. Therefore, we focus on constructing 4 4 MDS matrices with entries in the space of linear transformations over F 4 2 and F 8 2 in the present paper. The first result is that circulant involutory MDS matrices can be constructed with our method. Circulant involutory MDS matrices can be implemented efficiently and the same circuit can be used both in encryption and decryption. However, it has been proved in [15,13] that there do not exist circulant involutory MDS matrices over the finite field F 2 m. In fact, the proof is only valid when the entries of the matrix are pairwise commute. This property is satisfied by previous construction methods but not our method. We show that there exist circulant involutory MDS matrices over the space of linear transformations over F m 2. Some constructions are also given. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. For 4 4 circulant involutory MDS matrices constructed in the present paper, the fewest sum of XORs of one row s entries is m+1, m = 4, 8. Moreover, we also construct 4 4 orthogonal circulant MDS matrix, which is also proved do not exist over finite fields [13]. Lower bounds on XORs that required to evaluate one row of circulant (noninvolution) MDS matrices, involutory Hadamard MDS matrices and Hadamard (noninvolution) MDS matrices are also investigated. We show that for circulant MDS matrices with the first row s entries are [I, I, A, B], the fewest sum of XORs of A and B is 3. For involutory Hadamard MDS matrices, the fewest sum (the fewest sum we get) of the XORs of entries in the first row is m + 2 for m = 4 (m = 8). For Hadamard MDS matrices, the fewest sum of XORs of one row s
4 entries is 4 for m = 4 and the fewest sum we get of XORs of one row s entries is 5 for m = 8. Lower bounds on the entries of optimal 4 4 MDS matrices is also characterized. Outline of This Paper. The present paper is organized as follows. In Sect. 2, we give some preliminaries. A general bound on XORs that required to evaluate one row of circulant and Hadamard MDS matrices is also given. In Sect. 3, we investigate the construction of lightweight involutory, non-involutory and orthogonal circulant MDS matrices. In Sect. 4, we investigate the construction of lightweight involutory and non-involutory Hadamard MDS matrices. Comparisons with previous constructions are given at the end of the section. In Sect. 5, we investigate the construction of lightweight optimal 4 4 MDS matrices. A short conclusion is given in Sect Preliminaries and a general bound A map A : F m 2 F m 2 is called linear if A(x + y) = A(x) + A(y) for x, y F m 2. Fixed a basis of F m 2 over F 2, a linear map over F m 2 can be represented by an m m matrix over F 2, which is also denoted by A. Then A(x) = A x, where x = (x 1,..., x m ) F m 2 is viewed as a column vector throughout this paper. A linear map is a permutation over F m 2 if and only if its matrix representation is non-singular. The notation GL(m, S) denotes the set of all m m non-singular matrices with entries in S. For a, b F 2, a + b is called the bit XOR operation. For A GL(m, F 2 ), #A denotes the number of XOR operations that required to evaluate A x directly, where x F m 2, and we call A has #A XOR operations. It is easy to see that #A equals the number of XORs in A(x) and hence #A = m (ω(a[i]) 1), i=1 where ω(a[i]) means the number of nonzero entries in the i-th row of A. For A GL(m, F 2 ), a simplified representation of A is given by extracting the nonzero positions in each row of A. For example, [2, 3, 4, [1,4]] is the representation of the following matrix , and it is a matrix with 1 XOR operation. Every linear diffusion can be represented by a matrix as follows L 1,1 L 1,2 L 1,n L 2,1 L 2,2 L 2,n L =..., L n,1 L n,2 L n,n
5 where L i,j is an m m matrix over F 2 for 1 i, j n. For X = (x 1,..., x n ) (F m 2 ) n, n n L(X) = ( L 1,i (x i ),..., L n,i (x i )), i=1 where L i,j (x k ) = L i,j x k, for 1 i, j n, 1 k m. A linear diffusion L defined as above is called involutory if L L(X) = X for all X (F m 2 ) n, which is equivalent to that L 2 is the identity matrix of order mn. For X = (x 1,..., x n ) (F m 2 ) n, the bundle weight of X, which is denoted by ω b (X), is defined as the number of nonzero entries of X. This means The branch number of L is defined as i=1 ω b (X) = {x i : x i 0, 1 i n}. min{ω b (X) + ω b (L(X)) X (F m 2 ) n, X 0}. The upper bound on the branch number of L is n + 1, and a matrix achieved the bound is called an MDS matrix. Square sub-matrices of L of order t means the following matrices L(J, K) = (L jl,k p, 1 l, p t) where J = [j 1,..., j t ] and K = [k 1,..., k t ] are two sequence of length t, and 1 j 1 <... < j t n, 1 k 1,..., k t n. Note that L(J, K) (x 1,..., x t ) = 0 does not have nonzero solutions if and only if L(J, K) is of full rank. Then the following result holds, which is proved in [5]. Theorem 1. Let L = (L i,j ), 1 i, j n, and the entries of L are m m matrices over F 2. Then L is an MDS matrix if and only if all square sub-matrices of L of order t are of full rank for 1 t n. According to Theorem 1, the computation would be complicated when n is large. Then in the present paper we focus on 4 4 matrices, which are widely used in cryptography. More precisely, we construct lightweight MDS matrices using circulant matrix and Hadamard matrix. Both of them can be defined by the first row s entries and hence can be implemented efficiently. 2.1 A general bound In this subsection, we give a general bound of XORs on circulant and Hadamard MDS matrices. A matrix is called circulant if each row is rotated to the right of the preceding row by one entry. Then for a 4 4 circulant matrix, we means A B C D Circ(A, B, C, D) = D A B C C D A B, B C D A
6 where A, B, C, D GL(m, F 2 ). A 2 k 2 k matrix H is called a Hadamard matrix if it can be represented as ( ) H1, H 2, H 2, H 1 where H 1, H 2 are two 2 k 1 2 k 1 Hadamard matrices. Then for a 4 4 Hadamard matrix, we means A, B, C, D Had(A, B, C, D) = B, A, D, C C, D, A, B, D, C, B, A where A, B, C, D GL(m, F 2 ). Remember that our aim is constructing MDS matrices with as few XOR operations as possible. Then we prefer linear transformations with no XORs. However, the following results limits the amounts of such linear transformations used in our constructions. ( ) L1, L Lemma 1. Let L = 2, L L 3, L i GL(m, F 2 ), 1 i 4. If rank(l) = 2m, 4 then 4 i=1 #L i 1. Proof. Assume #L i = 0, 1 i 4. Then for 1 i 4, each row and each column of L i has exactly one entry equals 1 since L i are non-singular. This m means every entry of L i [j] equals to 1. Therefore, every entry of 2m L[i] j=1 equals to 0, which means rank(l) < 2m and we complete the proof. Then we have the following result. Theorem Let L = Circ(A, B, C, D) be a circulant MDS matrix, where A, B, C, D GL(m, F 2 ). Then #A + #B + #C + #D Let L = Had(A, B, C, D) be a Hadamard MDS matrix, where A, B, C, D GL(m, F 2 ). Then #A + #B + #C + #D 3. Proof. Let L = Circ(A, B, C, D) be a circulant MDS matrix. Assume #A + #B + #C + #D 1. Then there are at least 3 entries with 0 XORs in the first row. Without loss of generality, we suppose #A = #B = #C = 0. Then according to Lemma 1, it holds ( ) B, C rank(l([1, 2], [2, 3])) = rank( ) < 2m. A, B This is a contradiction since L is an MDS matrix. The other cases can be proved similarly. i=1
7 Let L = Had(A, B, C, D) be a Hadamard MDS matrix. Assume #A + #B + #C + #D 2. Then there are at least 2 entries with 0 XORs in the first row. Without loss of generality, we suppose #A = #C = 0. Then according to Lemma 1, it holds ( ) A, C rank(l([1, 3], [1, 3])) = rank( ) < 2m. C, A This is a contradiction since L is an MDS matrix. The other cases can be proved similarly. The above result means that there are at most two entries with no XORs in one row of a circulant MDS matrix, and there are at most one entry with no XORs in one row of a Hadamard MDS matrix. We suppose L[1, 1] = I in our constructions, where I denotes the identity matrix throughout this paper. 3 Lightweight circulant MDS matrices In this section, we investigate the construction of lightweight circulant involutory, non-involutory and orthogonal MDS matrices respectively. 3.1 Constructing circulant involutory MDS matrices First, we have the following result. Lemma 2. Let L = Circ(I, A, B, C) be a circulant matrix, where A, B, C GL(m, F 2 ). Then L is an involution if and only if the following equalities hold: AB = BA, BC = CB, A 2 = C 2, AC + CA = B 2. Proof. By matrix multiplication, it can be checked that L 2 = Circ(I, A, B, C) Circ(I, A, B, C) = Circ(I + AC + CA + B 2, BC + CB, A 2 + C 2, AB + BA). On the other hand, L is an involution if and only if L 2 = Circ(I, 0, 0, 0). Therefore, L is an involution if and only if AB = BA, BC = CB, A 2 = C 2, AC + CA = B 2 hold simultaneously. We give a general construction of circulant involutory matrix in the following result. For A GL(m, F 2 ), the multiplication order of A is defined as the minimum positive integer d such that A d = I.
8 Lemma 3. Suppose A, C GL(m, F 2 ) with A 2 = C 2 = I, and the multiplication order of A+C equals 4k 2 for some integer k with k > 1. Let B = (A+C) 2k. Then the matrix Circ(I, A, B, C) is an involution. Proof. Let B = (A + C) 2k. Note that A 2 = C 2 = I, then according to Lemma 2, we only need to prove that A, B, C satisfy the following equalities First, it is easy to see that Then we have Therefore, Similarly, it can be checked that AB = BA, BC = CB, AC + CA = B 2. (A + C) 2 = A 2 + AC + CA + C 2 = AC + CA. B = (A + C) 2k = (AC + CA) k. AB = A(AC + CA) k = A(AC + CA)(AC + CA) k 1 = (A 2 C + ACA)(AC + CA) k 1 = (CA 2 + ACA)(AC + CA) k 1 = (CA + AC)A(AC + CA) k 1 = = (AC + CA) k A = BA. BC = CB. Note that (A + C) 4k 2 = I, then we have B 2 = (A + C) 4k = (A + C) 2 = AC + CA. According to Lemma 2, we have Circ(I, A, (A + C) 2k, C) is an involution. Remark 1. If k = 1, then the multiplication order of A+C equals 2 and B = (A+ C) 2 = I. In this case, L = Circ(I, A, I, C) constructed as above is also a circulant involution. However, it is not an MDS matrix since rank(l([1, 3], [1, 3])) < 2m. Then we always suppose k > 1 since we want to construct circulant involutory MDS matrices. Using above results, our searching strategy is as follows. Firstly, we get the set S which contains all involutory matrix from the set which we want to search. Then for each pair of (A, C) S S, we compute the multiplication order
9 d of A + C. If d mod 4 = 2, then let B = (A + C) d 2 +1, and test whether Circ(I, A, B, C) is MDS by Theorem 1. When m = 4, we search A, C over GL(4, F 2 ). There exist A, C such that Circ(I, A, B, C) is MDS. The fewest sum of XORs of one rows entries of an MDS involutory Circ(I, A, B, C) constructed as above is 5. There are 48 pairs of A, C with this property. When m = 8, we search A, C over all 8 8 non-singular matrices over F 2 with less than or equal to 3 bit XOR operations. The fewest sum of XORs of one rows entries of an MDS Circ(I, A, B, C) constructed as above is 9. There are pairs of A, C satisfy this property. For all these pairs of A, C, Circ(I, C, B, A) are also circulant involutory MDS matrices. Theorem 3. Their exist A, B, C GL(m, F 2 ), m = 4, 8, such that Circ(I, A, B, C) is an involutory MDS matrix. Furthermore, the following statements hold. 1. When m = 4, circulant involutory MDS matrices constructed with the above method satisfy #A + #B + #C When m = 8, if #A 3 and #C 3, then circulant involutory MDS matrices constructed with the above method satisfy #A + #B + #C 9. Example 1. Examples of A, B, C such that Circ(I, A, B, C) are circulant involutory MDS matrices with #A + #B + #C = m + 1. (1) m = 4, A = [1, 2, [1, 3], [1, 2, 4]], C = [4, 3, 2, 1], B = (A+C) 4 = [2, [1, 2], [3, 4], 3]. (2) m = 8, A = [1, 2, [1, 3], [1, 2, 4], 6, 5, 8, 7], C = [5, 8, [2, 6], 7, 1, [3, 8], 4, 2], and B = (A + C) 16 = [[7, 8], 1, 7, [3, 8], [2, 4], [1, 4], 6, 5]. We further investigate the construction of 5 5 circulant involutory MDS matrices. In order to simplify our characterization, we investigate 5 5 circulant matrices of the type Circ(I, A, B, B, A), where A, B GL(m, F 2 ). Concerning the property of involutory of Circ(I, A, B, B, C), it is easy to prove the following result. Lemma 4. Let L = Circ(I, A, B, B, A) be a circulant matrix, where A, B GL(m, F 2 ). Then L is an involution if and only if A 2 = AB + BA = B 2. We give constructions by exhaustive searching for A, B with the following method. The method is often used hereafter in the paper, and we give a detailed general description here. The following result is helpful. It can be proved via elementary linear algebra and we omit the proof here. Lemma 5. Suppose A, B, C GL(m, F 2 ) are m m non-singular matrices over F 2. Then the following statements hold. ( ) I, A (1) is of full rank if and only if rank(ba + C) = m. ( B, C ) A, I (2) is of full rank if and only if rank(ca + B) = m. B, C
10 ( ) A, B (3) is of full rank if and only if rank(ac + B) = m. I, C ( ) A, B (4) is of full rank if and only if rank(bc + A) = m. C, I Let L = Circ(I, A, B, B, A). According to Theorem 1, if L is MDS, then all its square sub-matrices are of full rank. According to Lemma 5, we have the following fact by investigating all square sub-matrices of order 2. If L is MDS, then the following matrices are non-singular: A + I, A 2 + I, B + I, B 2 + I, A 2 + B, A + B 2, A + B. Note that A 2 + I is non-singular if and only if A + I is non-singular. Then the conditions can be simplified as the following matrices are non-singular: A + I, B + I, A + B 2, A 2 + B, A + B. Based on the above observations, we have the following searching strategy. First, note that both A and B should satisfy rank(x + I) = m, X = A, B. The equalities that both A and B satisfied are called general rules. Then we can select the candidate set of A and B from the set we want to search over by using general rules, which means S A,B := {X : X S search rank(x + I) = m}. The for A S A,B, we can get the candidate set of B by using the other conditions that should be satisfied, which means S B := {B : B S A,B rank(a + B) = m rank(a 2 + B) = m rank(a + B 2 ) = m A 2 = AB + BA A 2 = B 2 }. At last, for B S B, we test whether L is MDS by Theorem 1. When m = 4, we search A, B over GL(4, F 2 ). The fewest XORs of one row s entries of an involutory MDS Circ(I, A, B, B, A) is 4. There are 24 pairs of A, B such that Circ(I, A, B, B, A) are involutory circulant MDS matrices with #A + #B = 2. These 24 MDS matrices are of the type Circ(I, A, A T, A T, A) and Circ(I, A T, A, A, A T ) for 12 different A. When m = 8, we search A, B over GL(8, F 2 ) with #A + #B 3. No involutory MDS matrix returns. Therefore, if Circ(I, A, B, B, A) is an involutory MDS matrix, then #A + #B 4. Then we have the following result. Theorem 4. Their exist A, B GL(m, F 2 ), m = 4, 8, such that Circ(I, A, B, B, A) is an 5 5 involutory MDS matrix. Furthermore, if Circ(I, A, B, B, A) is an involutory MDS matrix, then #A + #B m 2. Similar as the method Subfield construction that used in [6,18,20], it is easy to construct involutory MDS Circ(I, A, B, B, A) over F 8 2 with #A + #B =
11 4, since we have constructed involutory MDS Circ(I, A, B, B, A) over F 4 2 with #A + #B = 2. Let X GL(4, F 2 ), #X = 1 and Circ(I, X, X T, X T, X) is an involutory MDS matrix. Then Circ(I, A, A T, A T, A) is also an involutory MDS matrix, where A GL(8, F 2 ) of the following form A = [ X, 0 0, X Then we can construct 24 circulant involutory MDS by using the above method and the searching result when m = 4. In order to get more circulant involutory MDS matrices, we searching A over GL(8, F 2 ) with #A = 2. We get A such that Circ(I, A, A T, A T, A) are involutory MDS matrices and #A + #A T = 4. Example 2. Examples of A, B such that Circ(I, A, B, B, A) are circulant involutory MDS matrices with #A + #B = m 2. (1) m = 4, A = [2, 3, 4, [1, 3]], B = A T [ = [4, 1, ] [2, 4], 3]. X, 0 (2) m = 8, X = [2, 3, 4, [1, 3]], A = = [2, 3, 4, [1, 3], 6, 7, 8, [5, 7]], B = 0, X A T = [4, 1, [2, 4], 3, 8, 5, [6, 8], 7]. (3) m = 8, A = [[3, 5], 8, 1, 3, 4, 2, 6, [2, 7]], B = A T = [3, [6, 8], [1, 4], 5, 1, 7, 8, 2]. It is interesting that 5 5 circulant involutory MDS matrices can be constructed with only 3 different entries. We have tried some other methods to construct circulant involutory MDS matrices with higher order. However, we do not get an circulant involutory MDS matrix with order large than or equal to 6 until present. We leave it as an open problem. Problem 1. Construct n n circulant involutory MDS matrices over GL(m, F 2 ) or prove that they do not exist, where n 6, m = 4, 8. ]. 3.2 Constructing circulant non-involutory MDS matrices In this subsection, we want to construct non-involutory MDS matrices with as few XORs as possible. We consider circulant matrices of the type Circ(I, I, A, B), since it has the most many entries with no XORs in one row. The searching strategy is similar as previous subsection. If Circ(I, I, A, B) is MDS, then the following matrices are non-singular: A + I, B + I, A + B, AB + I, A 2 + B, A + B 2. When m = 4, we search A, B over GL(4, F 2 ). The fewest XORs of one row s entries of an MDS Circ(I, I, A, B) is 3. Their are 48 pair of (A, B) such that Circ(I, I, A, B) are MDS matrices with #A + #B = 3. These 48 matrices are of the type Circ(I, I, A, A 2 ) and Circ(I, I, A 2, A) for 24 different A.
12 When m = 8, we search A, B over all 8 8 non-singular matrices over F 2 with 1 bit XOR. No MDS matrix returns. This means if Circ(I, I, A, B) is an MDS matrix over GL(8, F 2 ), then either A or B has at least 2 XORs, and hence #A + #B 3. Therefore, the following result hold. Theorem 5. Let L = Circ(I, I, A, B), where A, B GL(m, F 2 ), m = 4, 8. If L is an MDS matrix, then #A + #B 3. In order to get circulant MDS matrix with the above equality holds when m = 8, we let B = A 2 and search A over all 8 8 non-singular matrices over F 2 with 1 bit XOR. At last, we get A such that Circ(I, I, A, A 2 ) are MDS matrices with #A + #A 2 = 3. Furthermore, Circ(I, I, A 2, A) are also MDS matrices for all these A. Example 3. Examples of A, B such that Circ(I, I, A, B) and Circ(I, I, B, A) are MDS matrices with #A + #B = 3. (1) m = 4, A = [2, 3, 4, [1, 4]], B = A 2 = [[2, 3], [3, 4], 1, 2]. (2) m = 8, A = [2, 3, 4, 5, 6, 7, 8, [1, 3]], B = A 2 = [[1, 7], [2, 8], 1, 2, 3, 4, 5, 6]. 3.3 Constructing circulant orthogonal MDS matrices A square matrix L is called orthogonal if L 1 = L T, where L T is the transpose of L. It is proven in [13] there do not exist 2 d 2 d circulant orthogonal MDS matrix over finite fields. In this subsection, we show that 4 4 circulant orthogonal MDS matrices can also be constructed with non-commutative entries. Firstly, note that for L = Circ(I, A, B, C), where A, B, C F 2 m, it holds L T = Circ(I, C T, B T, A T ). This means one have to implement new entries A T, B T, C T in decryption circuit when L is orthogonal. In order to simplify implementation, we let A, B, C GL(m, F 2 ) are symmetric matrices, which means A = A T, B = B T, C = C T. Then it holds L T = Circ(I, C T, B T, A T ) = Circ(I, C, B, A), and it is easy to prove the following result. Lemma 6. Let L = Circ(I, A, B, C) be a circulant matrix, where A, B, C GL(m, F 2 ) are symmetric matrices. Then L is orthogonal if and only if the following equalities hold: A 2 + B 2 = C 2, AC = CA, A + C = BA + CB, A + C = AB + BC. If L = Circ(I, A, B, C) is MDS, then the following matrices are non-singular: B + I, B + A 2, B + C 2, AC + I, AB + C. When m = 4, we search symmetric A, B, C over GL(4, F 2 ). The fewest XORs of one row s entries of an orthogonal MDS Circ(I, A, B, C) is 8. Their are 24 triples of A, B, C such that Circ(I, A, B, C) are orthogonal MDS matrices with #A + #B + #C = 8. Then we have the following result.
13 Theorem 6. There exist symmetric A, B, C GL(4, F 2 ) such that Circ(I, A, B, C) is an orthogonal MDS matrix. Furthermore, if Circ(I, A, B, C) is an orthogonal MDS matrix, then #A + #B + #C 8. Example 4. Example of A, B, C such that Circ(I, A, B, C) is an orthogonal circulant MDS matrix #A + #B + #C = 2m. (1) m = 4, A = [1, [ 2, 4, [3, 4]], ] B = [[1, [ 4], [2,] 3, 4], [2, 3], [ [1, 2, 4]], ] C = [2, [1, 2], 3, 4]. A1, 0 B1, 0 C1, 0 (2) m = 8, A =, B =, C =, where A 0, A 1 0, B 1 0, C 1, B 1, C 1 1 are the A, B, C in the above item. 4 Lightweight Hadamard MDS matrices In this section, we investigate the construction of lightweight Hadamard involutory and non-involutory MDS matrices respectively. 4.1 Constructing Hadamard involutory MDS matrices In the case of a, b, c are elements of finite fields, Had(1, a, b, c) is an involution if and only if a 2 + b 2 = c 2. In the case of A, B, C GL(m, F 2 ), we have the following result. Lemma 7. Let A, B, C GL(m, F 2 ). Then L = Had(I, A, B, C) is an involution if and only if A, B, C are pairwise commutative and A 2 + B 2 = C 2. Proof. By matrix multiplication, it can be checked that L 2 = Had(I, A, B, C) Had(I, A, B, C) = Had(I + A 2 + B 2 + C 2, BC + CB, AC + CA, AB + BA). Therefore, L is an involution if and only if L 2 = Had(I, 0, 0, 0), which is equivalent to AB = BA, BC = CB, AC = CA, A 2 + B 2 = C 2 hold simultaneously. When m = 4, we search A, B, C over GL(4, F 2 ) as previous. The fewest XORs of one row s entries of an involutory MDS Had(I, A, B, C) is 6. There are 144 triples of A, B, C such that Had(I, A, B, C) are involutory MDS matrices with #A + #B + #C = 6. These 144 matrices are of the type Had(I, A 1, A 2, A 3 ), where (A 1, A 2, A 3 ) is a permutation of (A, A 1, A + A 1 ) for 24 different A. When m = 8, we also consider Hadamard matrix of the type L = Had(I, A, A 1, A + A 1 ), where A GL(m, F 2 ). According to the above lemma, L is an involution. We use the method in [19,22] to characterize whether L is MDS. By computing the
14 determinants of all the square sub-matrices of L and factorizing these polynomials, we get that L is an MDS matrix if and only if all the following matrices are non-singular: A, A + I, A 2 + A + I, A 3 + A + I, A 3 + A 2 + I. Then we search A over GL(8, F 2 ) with #A 3. The fewest XORs of one row s entries of an involutory MDS Had(I, A, A 1, A+A 1 ) is 10. We get A such that Had(I, A, A 1, A + A 1 ) are involutory MDS matrices with #A + #A 1 + #(A + A 1 ) = 10. We also have searched some other types of Hadamard matrices. However, we do not get a Hadamard involutory matrix with one row s XORs less then 10 until present. Theorem Let A, B, C GL(4, F 2 ). If L = Had(I, A, B, C) is an MDS involution matrix, then #A + #B + #C Let A GL(8, F 2 ) with #A 3. If L = Had(I, A, A 1, A+A 1 ) is an MDS involution matrix, then #A + #A 1 + #(A + A 1 ) 10. Example 5. Examples of A, B, C such that Had(I, A, B, C) are involutory MDS matrices with #A + #B + #C = m + 2. (1) m = 4, A = [2, [1, 3], 4, [2, 3]], B = A 1 = [[1, 2, 4], 1, [1, 4], 3], C = A+A 1 = [[1, 4], 3, 1, 2]. (2) m = 8, A = [2, 3, 4, 5, 6, 7, 8, [1, 3]], B = A 1 = [[2, 8], 1, 2, 3, 4, 5, 6, 7], C = A + A 1 = [8, [1, 3], [2, 4], [3, 5], [4, 6], [5, 7], [6, 8], [1, 3, 7]]. 4.2 Constructing non-involutory Hadamard MDS matrices In this subsection, we want to construct non-involutory Hadamard MDS matrix with as few XORs as possible. The searching strategy is similar as previous. If Had(I, A, B, C) is MDS, then the following matrices are non-singular: A + I, B + I, C + I, AB + C, AC + B, BA + C, BC + A, CB + A, CA + B. When m = 4, we search A, B, C over GL(4, F 2 ). The fewest XORs of one rows entries of an MDS Had(I, A, B, C) is 4. There are 72 triples of A, B, C such that Had(I, A, B, C) are MDS matrices with #A+#B +#C = 4. These 72 matrices are of the type Had(I, A 1, A 2, A 3 ), where (A 1, A 2, A 3 ) is a permutation of (A, A T, A + A T ) for 12 different A. When m = 8, we search A over GL(8, F 2 ) with #A 2. The fewest XORs of one rows entries of an MDS Had(I, A, A T, A + A T ) is 8. In order to get Hadamard MDS matrices with fewer XORs in one row, we investigate Hadamard matrices of the type Had(I, A, A T, B). According to our searching, if #A 1 and #B 2, then there are no MDS Had(I, A, A T, B). Then we have the following result. Theorem Let A, B, C GL(4, F 2 ). If L = Had(I, A, B, C) is an MDS matrix, then #A + #B + #C 4.
15 matrix type elements the first row XOR count Ref. Circulant GL(8, F 2) [I, I, A, B] = 27 Subsection 3.2 Circulant F 2 8/0x11b (0x02, 0x03, 0x01, 0x01) = 38 AES [8] Hadamard GL(8, F 2) [I, A, A T, B] = 29 Subsection 4.2 Hadamard F 2 8/0x1c3 (0x01, 0x02, 0x04, 0x91) = 37 [20] Subfield-Hadamard F 2 4/0x13 (0x1, 0x2, 0x8, 0x9) 2 ( ) = 34 [20] Table 1. Comparisons with previous constructions of non-involutory MDS matrices matrix type elements the first row XOR count Ref. Circulant GL(8, F2) [I, A, B, C] = 33 Subsection 3.1 Hadamard GL(8, F2) [I, A, A 1, A + A 1 ] = 34 Subsection 4.1 Subfield-Hadamard F 2 4/0x13 (0x1, 0x4, 0x9, 0xd) 2 ( ) = 36 [20] Hadamard F 2 8/0x165 (0x01, 0x02, 0xb0, 0xb2) = 40 [20] Hadamard F 2 8/0x11d (0x01, 0x02, 0x04, 0x06) = 46 [3] Compact Cauchy F 2 8/0x11b (0x01, 0x12, 0x04, 0x16) = 78 [7] Hadamard-Cauchy F 2 8/0x11b (0x01, 0x02, 0xfc, 0xfe) = 98 [11] Table 2. Comparisons with previous constructions of involutory MDS matrices 2. Let A, B GL(8, F 2 ). If L = Had(I, A, A T, B) is an MDS matrix, then #A + #A T + #B 5. In order to get MDS Had(I, A, A T, B) with #A+#A T +#B = 5, we choose A with #A = 2 and rank(a + I) = 8 randomly, and then test whether there exist B with #B = 1 such that Had(I, A, A T, B) is MDS. We repeat the process several times and get 622 pairs of A, B GL(8, F 2 ), such that Had(I, A, A T, B) is MDS and #A + #A T + #B = 5. Example 6. Examples of A, B, C such that Had(I, A, B, C) are MDS matrices with the bounds in the above theorem hold. (1) m = 4, A = [2, 3, 4, [1, 3]], B = A T = [4, 1, [2, 4], 3], C = A + A T = [[2, 4], [1, 3], 2, 1]. (2) m = 8, A = [2, 3, 4, [1, 5], 8, 7, 5, [3, 6]], B = A T = [4, 1, [2, 8], 3, [4, 7], 8, 6, 5], C = [[4, 7], 6, 5, 8, 7, 1, 2, 3]. We give comparisons of our constructions with previous constructions in Table 1, Table 2 and Table 3 respectively. The lower bounds on XORs of circulant and Hadamard MDS matrices given in Section 3 and Section 4 are under the supposition L[1, 1] = I. Therefore, it is possible to improve the previous lower bounds when L[1, 1] I. However, we have the following result with searching, which shows that the lower bounds can not be improved when m = 4.
16 matrix type elements the first row XOR count Ref. Circulant GL(4, F2) [I, I, A, B] = 15 Subsection 3.2 Involutory circulant GL(4, F2) [I, A, B, C] = 17 Subsection 3.1 Hadamard GL(4, F2) [I, A, B, C] = 16 Subsection 4.2 Hadamard F 2 4/0x13 (0x1, 0x2, 0x8, 0x9) = 17 [20] Involutory Hadamard GL(4, F2) [I, A, A 1, A + A 1 ] = 18 Subsection 4.1 Involutory Hadamard F 2 4/0x13 (0x1, 0x4, 0x9, 0xd) = 18 [20,14] Involutory Hadamard F 2 4/0x19 (0x1, 0x2, 0x6, 0x4) = 18 [17] Table 3. Comparisons of MDS matrices over F 4 2 and F 2 4 Theorem 9. Let A i GL(4, F 2 ), and A = #A i. Then the following statements hold. 4 i=1 1. If Circ(A 1, A 2, A 3, A 4 ) is a circulant MDS matrix, then A If Circ(A 1, A 2, A 3, A 4 ) is a circulant involutory MDS matrix, then A If Had(A 1, A 2, A 3, A 4 ) is a Hadamard MDS matrix, then A If Had(A 1, A 2, A 3, A 4 ) is a Hadamard involutory MDS matrix, then A 6. 5 Lightweight Optimal 4 4 MDS matrices It is proven in [16] that the highest possible number of 1 and the lowest possible number of different entries for a 4 4 MDS matrix over finite fields are 9 and 3 respectively. The matrix with the two properties hold simultaneously are called optimal in their presentation slides. The following matrix a b a 1 a 1 b 1 b a 1 is an example of optimal matrix which is given in [16]. Similarly as above, we investigate the following special matrix, A I I I L = I I B A I A I B, I B A I where A, B GL(m, F 2 ) are m m non-singular matrices over F 2. If L is MDS, then the following matrices are non-singular: A + I, B + I, A + B, A + B 2, A 2 + B, AB + I.
17 When m = 4, we search A, B over GL(4, F 2 ), which is the set of all 4 4 non-singular matrices over F 2. The fewest XORs of optimal MDS matrices is 13. There are 24 pairs of A, B GL(m, F 2 ) such that the corresponding constructions are MDS matrices with 4#A + 3#B = 13. All these pairs satisfy B = A 2. When m = 8, we search A, B over the set of all 8 8 non-singular matrices over F 2 with 1 bit XOR operation. No MDS matrix returns. This means if L is a optimal MDS matrix over GL(8, F 2 ), then either A or B has at least 2 XORs, and hence #L 10. Then we have the following result. Theorem 10. Let L be a matrix constructed as above, where A, B GL(m, F 2 ), m = 4, 8. If L is an MDS matrix, then { 13, m = 4; 4#A + 3#B 10, m = 8. In order to get optimal matrices over GL(8, F 2 ) with 10 XORs, we let B = A 2 and search A over all 8 8 non-singular matrices over F 2 with 1 bit XOR operation. We get A GL(8, F 2 ) such that the corresponding constructions are optimal MDS matrices with 10 XORs. It is interesting that optimal 4 4 MDS matrices over GL(8, F 2 ) has fewer XORs than optimal 4 4 MDS matrices over GL(4, F 2 ). Example 7. Examples of A, B such that L are optimal MDS matrices with the bounds in the above result hold. (1) Let A = [[2, 3], 4, 2, 1], B = A 2 = [2, [1, 3], [1, 3, 4], 3]. Then L constructed as above is an MDS matrix with 4#A + 3#B = 13. (2) Let A = [4, 5, 6, 8, 3, [4, 7], 1, 2], B = A 2 = [[1, 6], 4, 2, 7, 8, 5, [3, 7], 1]. Then L constructed as above is an MDS matrix with 4#A + 3#B = Conclusion In the present paper, we mainly investigate the construction of 4 4 lightweight MDS matrices with entries in the set of m m non-singular matrices over F 2. With this method, circulant, Hadamard and involutory Hadamard MDS matrices with fewer XORs than previous constructions are given. Moreover, circulant involutory MDS matrices are also constructed with our method. Constructing lightweight MDS matrices of large order with the method of the present paper is an interesting problem need further study. Acknowledgements The authors are very grateful to the anonymous reviewers for their valuable comments. This work was supported by the 973 project under Grant (2013CB834203), by the National Science Foundation of China (No , No ).
18 References 1. Augot, D., Finiasz, M.: Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions. In Information Theory Proceedings (ISIT), 2013 IEEE International Symposium on, pages IEEE, Augot, D., Finiasz, M.: Direct construction of recursive MDS diffusion layers using shortened BCH codes. In: Cid, C., Rechberger, C. (eds.) FSE LNCS 8540, pp. 3-17, Barreto, P., Rijmen, V.: The Anubis Block Cipher. Submission to the NESSIE Project, Berger, T.P.: Construction of Recursive MDS Diffusion Layers from Gabidulin Codes. In INDOCRYPT, LNCS 8250, pages Blaum, M., Roth, R.M.: On Lowest Density MDS Codes. IEEE Transactions on Information Theory 45(1), (1999) 6. Choy, J., Yap, H., Khoo, K., Guo, J., Peyrin, T., Poschmann, A., Tan, C.H.: SPN- Hash: Improving the Provable Resistance against Differential Collision Attacks. In: AFRICACRYPT. (2012) Cui, T., Jin, C.i, Kong, Z.: On compact cauchy matrices for substitution permutation networks. IEEE Transactions on Computers, 99(PrePrints):1, Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED Block Cipher. In: Preneel, B., Takagi, T. (eds.) CHES LNCS, vol. 6917, pp Springer, Heidelberg (2011) 10. Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO LNCS, vol. 6841, pp Springer,Heidelberg (2011) 11. Gupta, K. C., Ray, I. G.: On Constructions of Involutory MDS Matrices. In AFRICACRYPT, pages 43-60, Gupta, K. C., Ray, I. G.: On constructions of MDS matrices from companion matrices for lightweight cryptography. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES Workshops LNCS, vol. 8128, pp Springer, Heidelberg (2013) 13. Gupta, K. C., Ray, I. G.: Cryptographically significant MDS matrices based on circulant and circulant-like matrices for lightweight applications. Cryptogr. Commun. (2015) 7: Jean J., Nikolić I., Peyrin T.: Joltik v1.1, Submission to the CAESAR competition, syllab/joltik. 15. Jorge Nakahara Jr. and lcio Abraho. A new involutory mds matrix for the AES. I. J. Network Security, 9(2): , Junod, P., Vaudenay, S.: Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices. In: Handschuh, H., Hasan, M.A. (eds.) SAC LNCS, vol. 3357, pp Springer, Heidelberg (2004) 17. Kavun E. B., Lauridsen M. M., Leander G., Rechberger C., Schwabe P., Yalcn T.: Prøst v1.1, Submission to the CAESAR competition, Khoo, K., Peyrin, T., Poschmann, A., Yap, H.: FOAM: Searching for Hardware Optimal SPN Structures and Components with a Fair Comparison. In Cryptographic Hardware and Embedded Systems CHES 2014, volume 8731 of Lecture Notes in Computer Science, pages Springer Berlin Heidelberg, 2014.
19 19. Sajadieh, M., Dakhilalian, M., Mala, H., Sepehrdad, P.: Recursive Diffusion Layers for Block Ciphers and Hash Functions. In: Canteaut, A. (ed.) FSE LNCS, vol. 7549, pp Springer, Heidelberg (2012) 20. Sim, S.M., Khoo, K., Oggier, F., Peyrin, T.: Lightweight MDS Involution Matrices. In: Leander, G., Demirci, H. (eds.) FSE LNCS, Springer (2015) 21. Vaudenay, S.: On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER. In: 2nd International Workshop on Fast Software Encryption. Springer- Verlag, pp (1994) 22. Wu, S., Wang, M., Wu, W.: Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions. In: L.R. Knudsen and H. Wu (Eds.): SAC 2012, LNCS 7707, pp , A More Examples of Circulant Involutory MDS matrices In this appendix, we give more examples of circulant involutory MDS matrices achieving the lower bounds in the paper. A.1 m = 4 The following triples are < A, B, C >, where B = (A+C) 4, such that Circ(I, A, B, C) are circulant involutory MDS matrices over (F 4 2) 4 and #A + #B + #C = 5. For all these triples, Circ(I, C, B, A) are also circulant involutory MDS matrices. 1. << 1, 2, < 1, 3 >, < 1, 2, 4 >>, < 2, < 1, 2 >, < 3, 4 >, 3 >, < 4, 3, 2, 1 >> 2. << 1, 2, < 2, 3 >, < 1, 2, 4 >>, << 1, 2 >, 1, < 3, 4 >, 3 >, < 3, 4, 1, 2 >> 3. << 1, 2, < 1, 2, 3 >, < 1, 4 >>, < 2, < 1, 2 >, 4, < 3, 4 >>, < 3, 4, 1, 2 >> 4. << 1, 2, < 1, 2, 3 >, < 2, 4 >>, << 1, 2 >, 1, 4, < 3, 4 >>, < 4, 3, 2, 1 >> 5. << 1, < 1, 2 >, 3, < 1, 3, 4 >>, < 3, < 2, 4 >, < 1, 3 >, 2 >, < 4, 3, 2, 1 >> 6. << 1, < 1, 2 >, < 1, 3, 4 >, 4 >, < 4, < 2, 3 >, 2, < 1, 4 >>, < 3, 4, 1, 2 >> 7. << 1, < 2, 3 >, 3, < 1, 3, 4 >>, << 1, 3 >, < 2, 4 >, 1, 2 >, < 2, 1, 4, 3 >> 8. << 1, < 1, 2, 3 >, 3, < 1, 4 >>, < 3, 4, < 1, 3 >, < 2, 4 >>, < 2, 1, 4, 3 >> 9. << 1, < 1, 2, 3 >, 3, < 3, 4 >>, << 1, 3 >, 4, 1, < 2, 4 >>, < 4, 3, 2, 1 >> 10. << 1, < 2, 4 >, < 1, 3, 4 >, 4 >, << 1, 4 >, < 2, 3 >, 2, 1 >, < 2, 1, 4, 3 >> 11. << 1, < 1, 2, 4 >, < 1, 3 >, 4 >, < 4, 3, < 2, 3 >, < 1, 4 >>, < 2, 1, 4, 3 >> 12. << 1, < 1, 2, 4 >, < 3, 4 >, 4 >, << 1, 4 >, 3, < 2, 3 >, 1 >, < 3, 4, 1, 2 >>
20 13. << 2, 1, 4, 3 >, << 1, 4 >, < 2, 3 >, 2, 1 >, << 1, 3 >, 2, 3, < 2, 3, 4 >>> 14. << 2, 1, 4, 3 >, < 4, 3, < 2, 3 >, < 1, 4 >>, << 1, 2, 3 >, 2, 3, < 2, 4 >>> 15. << 2, 1, 4, 3 >, << 1, 3 >, < 2, 4 >, 1, 2 >, << 1, 4 >, 2, < 2, 3, 4 >, 4 >> 16. << 2, 1, 4, 3 >, < 3, 4, < 1, 3 >, < 2, 4 >>, << 1, 2, 4 >, 2, < 2, 3 >, 4 >> 17. <<< 1, 2 >, 2, 3, < 2, 3, 4 >>, << 1, 4 >, 3, < 2, 3 >, 1 >, < 3, 4, 1, 2 >> 18. <<< 1, 2 >, 2, < 2, 3, 4 >, 4 >, << 1, 3 >, 4, 1, < 2, 4 >>, < 4, 3, 2, 1 >> 19. << 3, 4, 1, 2 >, < 4, < 2, 3 >, 2, < 1, 4 >>, << 1, 2, 3 >, 2, 3, < 3, 4 >>> 20. << 3, 4, 1, 2 >, << 1, 2 >, 1, < 3, 4 >, 3 >, << 1, 4 >, < 2, 3, 4 >, 3, 4 >> 21. << 3, 4, 1, 2 >, < 2, < 1, 2 >, 4, < 3, 4 >>, << 1, 3, 4 >, < 2, 3 >, 3, 4 >> 22. <<< 1, 3 >, < 2, 3, 4 >, 3, 4 >, << 1, 2 >, 1, 4, < 3, 4 >>, < 4, 3, 2, 1 >> 23. << 4, 3, 2, 1 >, < 3, < 2, 4 >, < 1, 3 >, 2 >, << 1, 2, 4 >, 2, < 3, 4 >, 4 >> 24. << 4, 3, 2, 1 >, < 2, < 1, 2 >, < 3, 4 >, 3 >, << 1, 3, 4 >, < 2, 4 >, 3, 4 >> A.2 m = 8 We list 128 triples of < A, B, C > in the following, where B = (A + C) 16, such that Circ(I, A, B, C) are circulant involutory MDS matrices over (F 8 2) 4 and #A+#B + #C = 9. For all these triples, Circ(I, C, B, A) are also circulant involutory MDS matrices. 1. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 5, 6 >, 1, 6, < 3, 5 >, 8, 7, < 1, 4 >, < 2, 4 >>, < 8, 5, < 2, 7 >, 6, 2, 4, < 3, 5 >, 1 >> 2. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 7, 8 >, 1, 7, < 3, 8 >, < 1, 4 >, < 2, 4 >, 5, 6 >, < 6, 8, < 2, 5 >, 7, < 3, 8 >, 1, 4, 2 >> 3. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 7, 8 >, 1, 7, < 3, 8 >, < 2, 4 >, < 1, 4 >, 6, 5 >, < 5, 8, < 2, 6 >, 7, 1, < 3, 8 >, 4, 2 >> 4. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 7, 8 >, 1, 8, < 3, 7 >, < 1, 4 >, < 2, 4 >, 6, 5 >, < 6, 7, < 2, 5 >, 8, < 3, 7 >, 1, 2, 4 >> 5. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 7, 8, 5, 6 >, << 5, 7 >, 1, 5, < 3, 7 >, 6, < 1, 4 >, 8, < 2, 4 >>, < 8, 7, < 2, 6 >, 5, 4, < 3, 7 >, 2, 1 >>
21 6. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 7, 8, 5, 6 >, << 6, 8 >, 1, 8, < 3, 6 >, < 2, 4 >, 5, < 1, 4 >, 7 >, < 5, 6, < 2, 7 >, 8, 1, 2, < 3, 6 >, 4 >> 7. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 8, 7, 6, 5 >, << 6, 7 >, 1, 6, < 3, 7 >, < 1, 4 >, 5, 8, < 2, 4 >>, < 8, 7, < 2, 5 >, 6, < 3, 7 >, 4, 2, 1 >> 8. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 8, 7, 6, 5 >, << 6, 7 >, 1, 6, < 3, 7 >, < 2, 4 >, 8, 5, < 1, 4 >>, < 5, 7, < 2, 8 >, 6, 1, 4, 2, < 3, 7 >>> 9. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 8, 7, 6, 5 >, << 6, 7 >, 1, 7, < 3, 6 >, < 1, 4 >, 8, 5, < 2, 4 >>, < 8, 6, < 2, 5 >, 7, < 3, 6 >, 2, 4, 1 >> 10. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 4, 5 >, 1, 4, 7, 8, < 3, 5 >, < 1, 6 >, < 2, 6 >>, < 8, 5, < 2, 7 >, 6, 2, 4, < 3, 5 >, 1 >> 11. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 4, 5 >, 1, 4, 8, 7, < 3, 5 >, < 2, 6 >, < 1, 6 >>, < 7, 5, < 2, 8 >, 6, 2, 4, 1, < 3, 5 >>> 12. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 4, 5 >, 1, 5, 8, 7, < 3, 4 >, < 1, 6 >, < 2, 6 >>, < 8, 4, < 2, 7 >, 2, 6, 5, < 3, 4 >, 1 >> 13. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 7, 8 >, 1, 7, < 1, 6 >, < 2, 6 >, < 3, 8 >, 4, 5 >, < 5, 8, < 2, 4 >, < 3, 8 >, 1, 7, 6, 2 >> 14. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 7, 8 >, 1, 8, < 1, 6 >, < 2, 6 >, < 3, 7 >, 5, 4 >, < 5, 7, < 2, 4 >, < 3, 7 >, 1, 8, 2, 6 >> 15. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 7, 8 >, 1, 8, < 2, 6 >, < 1, 6 >, < 3, 7 >, 4, 5 >, < 4, 7, < 2, 5 >, 1, < 3, 7 >, 8, 2, 6 >> 16. << 1, 2, < 1, 3 >, 5, 4, 7, 6, < 1, 2, 8 >>, << 4, 5 >, 1, 4, 7, 6, < 2, 8 >, < 1, 8 >, < 3, 5 >>, < 6, 5, < 2, 7 >, 8, 2, 1, < 3, 5 >, 4 >> 17. << 1, 2, < 1, 3 >, 5, 4, 7, 6, < 1, 2, 8 >>, << 6, 7 >, 1, 7, < 1, 8 >, < 2, 8 >, 5, 4, < 3, 6 >>, < 5, 6, < 2, 4 >, < 3, 6 >, 1, 2, 8, 7 >> 18. << 1, 2, < 1, 3 >, 5, 4, 7, 6, < 1, 2, 8 >>, << 6, 7 >, 1, 7, < 2, 8 >, < 1, 8 >, 4, 5, < 3, 6 >>, < 4, 6, < 2, 5 >, 1, < 3, 6 >, 2, 8, 7 >> 19. << 1, 2, < 1, 3 >, 5, 4, 8, < 1, 2, 7 >, 6 >, << 4, 5 >, 1, 5, 8, 6, < 1, 7 >, < 3, 4 >, < 2, 7 >>, < 8, 4, < 2, 6 >, 2, 7, < 3, 4 >, 5, 1 >> 20. << 1, 2, < 1, 3 >, 5, 4, 8, < 1, 2, 7 >, 6 >, << 6, 8 >, 1, 8, < 1, 7 >, < 2, 7 >, 5, < 3, 6 >, 4 >, < 5, 6, < 2, 4 >, < 3, 6 >, 1, 2, 8, 7 >>
22 21. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 4, 6 >, 1, 4, 7, < 3, 6 >, 8, < 1, 5 >, < 2, 5 >>, < 8, 6, < 2, 7 >, 5, 4, 2, < 3, 6 >, 1 >> 22. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 4, 6 >, 1, 6, 7, < 3, 4 >, 8, < 2, 5 >, < 1, 5 >>, < 7, 4, < 2, 8 >, 2, 6, 5, 1, < 3, 4 >>> 23. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 7, 8 >, 1, 7, < 2, 5 >, < 3, 8 >, < 1, 5 >, 6, 4 >, < 4, 8, < 2, 6 >, 1, 7, < 3, 8 >, 5, 2 >> 24. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 7, 8 >, 1, 8, < 2, 5 >, < 3, 7 >, < 1, 5 >, 4, 6 >, < 4, 7, < 2, 6 >, 1, 8, < 3, 7 >, 2, 5 >> 25. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 4, 6 >, 1, 4, 5, < 1, 8 >, 7, < 2, 8 >, < 3, 6 >>, < 7, 6, < 2, 5 >, 8, < 3, 6 >, 2, 1, 4 >> 26. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 4, 6 >, 1, 6, 5, < 2, 8 >, 7, < 1, 8 >, < 3, 4 >>, < 5, 4, < 2, 7 >, 2, 1, 8, < 3, 4 >, 6 >> 27. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 4, 6 >, 1, 6, 7, < 1, 8 >, 5, < 2, 8 >, < 3, 4 >>, < 7, 4, < 2, 5 >, 2, < 3, 4 >, 8, 1, 6 >> 28. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 5, 7 >, 1, 5, < 1, 8 >, 4, < 2, 8 >, 6, < 3, 7 >>, < 6, 7, < 2, 4 >, < 3, 7 >, 8, 1, 2, 5 >> 29. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 5, 7 >, 1, 7, < 1, 8 >, 6, < 2, 8 >, 4, < 3, 5 >>, < 6, 5, < 2, 4 >, < 3, 5 >, 2, 1, 8, 7 >> 30. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 5, 7 >, 1, 7, < 2, 8 >, 4, < 1, 8 >, 6, < 3, 5 >>, < 4, 5, < 2, 6 >, 1, 2, < 3, 5 >, 8, 7 >> 31. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 4, 6 >, 1, 4, 8, < 2, 7 >, 5, < 3, 6 >, < 1, 7 >>, < 5, 6, < 2, 8 >, 7, 1, 2, 4, < 3, 6 >>> 32. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 4, 6 >, 1, 6, 8, < 1, 7 >, 5, < 3, 4 >, < 2, 7 >>, < 8, 4, < 2, 5 >, 2, < 3, 4 >, 7, 6, 1 >> 33. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 5, 8 >, 1, 5, < 2, 7 >, 6, < 1, 7 >, < 3, 8 >, 4 >, < 4, 8, < 2, 6 >, 1, 7, < 3, 8 >, 5, 2 >> 34. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 5, 8 >, 1, 8, < 1, 7 >, 6, < 2, 7 >, < 3, 5 >, 4 >, < 6, 5, < 2, 4 >, < 3, 5 >, 2, 1, 8, 7 >> 35. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 4, 7 >, 1, 4, 6, < 3, 7 >, < 1, 5 >, 8, < 2, 5 >>, < 8, 7, < 2, 6 >, 5, 4, < 3, 7 >, 2, 1 >>
23 36. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 4, 7 >, 1, 4, 8, < 3, 7 >, < 2, 5 >, 6, < 1, 5 >>, < 6, 7, < 2, 8 >, 5, 4, 1, 2, < 3, 7 >>> 37. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 6, 8 >, 1, 6, < 1, 5 >, < 3, 8 >, 4, < 2, 5 >, 7 >, < 7, 8, < 2, 4 >, < 3, 8 >, 6, 5, 1, 2 >> 38. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 6, 8 >, 1, 6, < 2, 5 >, < 3, 8 >, 7, < 1, 5 >, 4 >, < 4, 8, < 2, 7 >, 1, 6, 5, < 3, 8 >, 2 >> 39. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 6, 8 >, 1, 8, < 1, 5 >, < 3, 6 >, 7, < 2, 5 >, 4 >, < 7, 6, < 2, 4 >, < 3, 6 >, 8, 2, 1, 5 >> 40. << 1, 2, < 1, 3 >, 7, 6, 5, 4, < 1, 2, 8 >>, << 5, 6 >, 1, 6, < 1, 8 >, 7, 4, < 2, 8 >, < 3, 5 >>, < 7, 5, < 2, 4 >, < 3, 5 >, 2, 8, 1, 6 >> 41. << 1, 2, < 1, 3 >, 7, 6, 5, 4, < 1, 2, 8 >>, << 5, 6 >, 1, 6, < 2, 8 >, 4, 7, < 1, 8 >, < 3, 5 >>, < 4, 5, < 2, 7 >, 1, 2, 8, < 3, 5 >, 6 >> 42. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 4, 5, < 1, 6 >, < 3, 7 >, 8, < 2, 6 >>, < 8, 7, < 2, 5 >, 6, < 3, 7 >, 4, 2, 1 >> 43. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 4, 8, < 2, 6 >, < 3, 7 >, 5, < 1, 6 >>, < 5, 7, < 2, 8 >, 6, 1, 4, 2, < 3, 7 >>> 44. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 7, 5, < 2, 6 >, < 3, 4 >, 8, < 1, 6 >>, < 5, 4, < 2, 8 >, 2, 1, 7, 6, < 3, 4 >>> 45. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 7, 8, < 1, 6 >, < 3, 4 >, 5, < 2, 6 >>, < 8, 4, < 2, 5 >, 2, < 3, 4 >, 7, 6, 1 >> 46. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 5, 8 >, 1, 5, < 1, 6 >, 4, < 3, 8 >, < 2, 6 >, 7 >, < 7, 8, < 2, 4 >, < 3, 8 >, 6, 5, 1, 2 >> 47. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 5, 8 >, 1, 8, < 1, 6 >, 7, < 3, 5 >, < 2, 6 >, 4 >, < 7, 5, < 2, 4 >, < 3, 5 >, 2, 8, 1, 6 >> 48. << 1, 2, < 1, 3 >, 8, < 1, 2, 5 >, 7, 6, 4 >, << 6, 7 >, 1, 6, < 1, 5 >, < 3, 7 >, 4, 8, < 2, 5 >>, < 8, 7, < 2, 4 >, < 3, 7 >, 6, 5, 2, 1 >> 49. << 1, 2, < 1, 3 >, 8, < 1, 2, 5 >, 7, 6, 4 >, << 6, 7 >, 1, 7, < 2, 5 >, < 3, 6 >, 4, 8, < 1, 5 >>, < 4, 6, < 2, 8 >, 1, 7, 2, 5, < 3, 6 >>> 50. << 1, 2, < 1, 3 >, 8, < 1, 2, 5 >, 7, 6, 4 >, << 4, 8 >, 1, 4, 6, < 3, 8 >, < 1, 5 >, < 2, 5 >, 7 >, < 7, 8, < 2, 6 >, 5, 4, < 3, 8 >, 1, 2 >>
Ultra-lightweight 8-bit Multiplicative Inverse Based S-box Using LFSR
Ultra-lightweight -bit Multiplicative Inverse Based S-box Using LFSR Sourav Das Alcatel-Lucent India Ltd Email:sourav10101976@gmail.com Abstract. Most of the lightweight block ciphers are nibble-oriented
More informationOptimum Composite Field S-Boxes Aimed at AES
Optimum Composite Field S-Boxes Aimed at AES R.THILLAIKKARASI Assistant professor, Department Of ECE, Salem college of Engineering and technology. Salem, India. K.VAISHNAVI Post Graduate Student M.E Applied
More informationCryptanalysis of LILI-128
Cryptanalysis of LILI-128 Steve Babbage Vodafone Ltd, Newbury, UK 22 nd January 2001 Abstract: LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really seem to have
More informationRandomness analysis of A5/1 Stream Cipher for secure mobile communication
Randomness analysis of A5/1 Stream Cipher for secure mobile communication Prof. Darshana Upadhyay 1, Dr. Priyanka Sharma 2, Prof.Sharada Valiveti 3 Department of Computer Science and Engineering Institute
More informationA New Proposed Design of a Stream Cipher Algorithm: Modified Grain - 128
International Journal of Computer and Information Technology (ISSN: 2279 764) Volume 3 Issue 5, September 214 A New Proposed Design of a Stream Cipher Algorithm: Modified Grain - 128 Norul Hidayah Lot
More informationDecim v2. To cite this version: HAL Id: hal
Decim v2 Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Blandine Debraize, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cédric Lauradoux, et al. To cite this version: Come
More informationHow to Predict the Output of a Hardware Random Number Generator
How to Predict the Output of a Hardware Random Number Generator Markus Dichtl Siemens AG, Corporate Technology Markus.Dichtl@siemens.com Abstract. A hardware random number generator was described at CHES
More informationResearch on sampling of vibration signals based on compressed sensing
Research on sampling of vibration signals based on compressed sensing Hongchun Sun 1, Zhiyuan Wang 2, Yong Xu 3 School of Mechanical Engineering and Automation, Northeastern University, Shenyang, China
More informationArea-efficient high-throughput parallel scramblers using generalized algorithms
LETTER IEICE Electronics Express, Vol.10, No.23, 1 9 Area-efficient high-throughput parallel scramblers using generalized algorithms Yun-Ching Tang 1, 2, JianWei Chen 1, and Hongchin Lin 1a) 1 Department
More informationCSc 466/566. Computer Security. 4 : Cryptography Introduction
1/51 CSc 466/566 Computer Security 4 : Cryptography Introduction Version: 2012/02/06 16:06:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More informationDESIGN and IMPLETATION of KEYSTREAM GENERATOR with IMPROVED SECURITY
DESIGN and IMPLETATION of KEYSTREAM GENERATOR with IMPROVED SECURITY Vijay Shankar Pendluri, Pankaj Gupta Wipro Technologies India vijay_shankarece@yahoo.com, pankaj_gupta96@yahoo.com Abstract - This paper
More informationEfficient Realization for A Class of Clock-Controlled Sequence Generators
Efficient Realization for A lass of lock-ontrolled Sequence Generators Huapeng Wu and M. A. Hasan epartment of Electrical and omputer Engineering, University of Waterloo Waterloo, Ontario, anada Abstract
More informationAdaptive decoding of convolutional codes
Adv. Radio Sci., 5, 29 214, 27 www.adv-radio-sci.net/5/29/27/ Author(s) 27. This work is licensed under a Creative Commons License. Advances in Radio Science Adaptive decoding of convolutional codes K.
More informationMATHEMATICAL APPROACH FOR RECOVERING ENCRYPTION KEY OF STREAM CIPHER SYSTEM
MATHEMATICAL APPROACH FOR RECOVERING ENCRYPTION KEY OF STREAM CIPHER SYSTEM Abdul Kareem Murhij Radhi College of Information Engineering, University of Nahrian,Baghdad- Iraq. Abstract Stream cipher system
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 2 Stream Ciphers ver. October 29, 2009 These slides were prepared by
More informationFrom Theory to Practice: Private Circuit and Its Ambush
Indian Institute of Technology Kharagpur Telecom ParisTech From Theory to Practice: Private Circuit and Its Ambush Debapriya Basu Roy, Shivam Bhasin, Sylvain Guilley, Jean-Luc Danger and Debdeep Mukhopadhyay
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 2 Stream Ciphers ver. October 29, 2009 These slides were prepared by
More informationFault Analysis of Stream Ciphers
Fault Analysis of Stream Ciphers Jonathan J. Hoch and Adi Shamir Department of Computer Science and Applied Mathematics, The Weizmann Institute of Science, Israel Abstract. A fault attack is a powerful
More informationSequences and Cryptography
Sequences and Cryptography Workshop on Shift Register Sequences Honoring Dr. Solomon W. Golomb Recipient of the 2016 Benjamin Franklin Medal in Electrical Engineering Guang Gong Department of Electrical
More informationStream Cipher. Block cipher as stream cipher LFSR stream cipher RC4 General remarks. Stream cipher
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 90 Stream Cipher Suppose you want to encrypt a stream of data, such as: the data from a keyboard the data from a sensor Block ciphers
More informationPseudorandom bit Generators for Secure Broadcasting Systems
+00? IE.Nfejb~lV 4 Pseudorandom bit Generators for Secure Broadcasting Systems Chung-Huang Yang m Computer & Communication Research Laboratories Industrial Technology Research Institute Chutung, Hsinchu
More informationHCCA: A Cryptogram Analysis Algorithm Based on Hill Climbing
International Conference on Logistics Engineering, Management and Computer Science (LEMCS 2015) HCCA: A Cryptogram Analysis Algorithm Based on Hill Climbing Zhang Tongbo ztb5129@live.com Li Guangli calculatinggod@foxmail.com
More informationBreaking the Enigma. Dmitri Gabbasov. June 2, 2015
Breaking the Enigma Dmitri Gabbasov June 2, 2015 1 Introduction Enigma was an electro-mechanical machine that was used before and during the World War II by Germany to encrypt and decrypt secret messages.
More informationAvailable online at ScienceDirect. Procedia Technology 24 (2016 )
Available online at www.sciencedirect.com ScienceDirect Procedia Technology 24 (2016 ) 1155 1162 International Conference on Emerging Trends in Engineering, Science and Technology (ICETEST 2015) FPGA Implementation
More informationFully Pipelined High Speed SB and MC of AES Based on FPGA
Fully Pipelined High Speed SB and MC of AES Based on FPGA S.Sankar Ganesh #1, J.Jean Jenifer Nesam 2 1 Assistant.Professor,VIT University Tamil Nadu,India. 1 s.sankarganesh@vit.ac.in 2 jeanjenifer@rediffmail.com
More informationCryptanalysis of the Bluetooth E 0 Cipher using OBDD s
Cryptanalysis of the Bluetooth E 0 Cipher using OBDD s Yaniv Shaked and Avishai Wool School of Electrical Engineering Systems, Tel Aviv University, Ramat Aviv 69978, ISRAEL shakedy@eng.tau.ac.il, yash@acm.org
More informationSolution of Linear Systems
Solution of Linear Systems Parallel and Distributed Computing Department of Computer Science and Engineering (DEI) Instituto Superior Técnico November 30, 2011 CPD (DEI / IST) Parallel and Distributed
More informationAnalysis of Different Pseudo Noise Sequences
Analysis of Different Pseudo Noise Sequences Alka Sawlikar, Manisha Sharma Abstract Pseudo noise (PN) sequences are widely used in digital communications and the theory involved has been treated extensively
More informationEFFICIENT IMPLEMENTATION OF RECENT STREAM CIPHERS ON RECONFIGURABLE HARDWARE DEVICES
EFFICIENT IMPLEMENTATION OF RECENT STREAM CIPHERS ON RECONFIGURABLE HARDWARE DEVICES Philippe Léglise, François-Xavier Standaert, Gaël Rouvroy, Jean-Jacques Quisquater UCL Crypto Group, Microelectronics
More informationPartitioning a Proof: An Exploratory Study on Undergraduates Comprehension of Proofs
Partitioning a Proof: An Exploratory Study on Undergraduates Comprehension of Proofs Eyob Demeke David Earls California State University, Los Angeles University of New Hampshire In this paper, we explore
More informationPermutation-based cryptography for the Internet of Things
Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 Joint work with Guido Bertoni, Joan Daemen 1,2, Seth Hoffert, Michaël Peeters 1 and Ronny Van Keer 1 1 STMicroelectronics 2
More informationSherlock Holmes and the adventures of the dancing men
Sherlock Holmes and the adventures of the dancing men Kseniya Garaschuk May 30, 2013 1 Overview Cryptography (from Greek for hidden, secret ) is the practice and study of hiding information. A cipher is
More informationModified Alternating Step Generators with Non-Linear Scrambler
Modified Alternating Step Generators with Non-Linear Scrambler Robert Wicik, Tomasz Rachwalik, Rafał Gliwa Military Communication Institute, Cryptology Department, Zegrze, Poland {r.wicik, t.rachwalik,
More informationFault Analysis of GRAIN-128
Fault Analysis of GRAIN-128 Alexandre Berzati, Cécile Canovas, Guilhem Castagnos, Blandine Debraize, Louis Goubin, Aline Gouget, Pascal Paillier and Stéphanie Salgado CEA-LETI/MINATEC, 17 rue des Martyrs,
More informationWG Stream Cipher based Encryption Algorithm
International Journal of Emerging Engineering Research and Technology Volume 3, Issue 11, November 2015, PP 63-70 ISSN 2349-4395 (Print) & ISSN 2349-4409 (Online) WG Stream Cipher based Encryption Algorithm
More informationStream Ciphers. Debdeep Mukhopadhyay
Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -7232 Classifications Objectives Feedback Based Stream
More informationImplementation of Memory Based Multiplication Using Micro wind Software
Implementation of Memory Based Multiplication Using Micro wind Software U.Palani 1, M.Sujith 2,P.Pugazhendiran 3 1 IFET College of Engineering, Department of Information Technology, Villupuram 2,3 IFET
More informationTwo Enumerative Tidbits
Two Enumerative Tidbits p. Two Enumerative Tidbits Richard P. Stanley M.I.T. Two Enumerative Tidbits p. The first tidbit The Smith normal form of some matrices connected with Young diagrams Two Enumerative
More informationChapter 12. Synchronous Circuits. Contents
Chapter 12 Synchronous Circuits Contents 12.1 Syntactic definition........................ 149 12.2 Timing analysis: the canonic form............... 151 12.2.1 Canonic form of a synchronous circuit..............
More informationModified Version of Playfair Cipher Using Linear Feedback Shift Register and Transpose Matrix Concept
Modified Version of Playfair Cipher Using Linear Feedback Shift Register and Transpose Matrix Concept Vinod Kumar,Santosh kr Upadhyay,Satyam Kishore Mishra,Devesh Singh Abstract In this paper we are presenting
More informationAdvanced cryptography - Project
Advanced cryptography - Project Vanessa Vitse 2013 2014 Master SCCI Vanessa VITSE (Institut Fourier) Advanced cryptography Master SCCI 1 / 12 Assignment Survey of some research topics related to elliptic
More informationVLSI Based Minimized Composite S-Box and Inverse Mix Column for AES Encryption and Decryption
VLSI Based Minimized Composite S-Bo and Inverse Mi Column for AES Encryption and Decryption 1 J. Balamurugan, 2 Dr. E. Logashanmugam 1 Research scholar, 2 Professor and Head, 1 St. Peter s University,
More informationPhysical Layer Built-in Security Enhancement of DS-CDMA Systems Using Secure Block Interleaving
Physical Layer Built-in Security Enhancement of DS-CDMA Systems Using Secure Block Qi Ling, Tongtong Li and Jian Ren Department of Electrical & Computer Engineering Michigan State University, East Lansing,
More informationA Novel Video Compression Method Based on Underdetermined Blind Source Separation
A Novel Video Compression Method Based on Underdetermined Blind Source Separation Jing Liu, Fei Qiao, Qi Wei and Huazhong Yang Abstract If a piece of picture could contain a sequence of video frames, it
More informationTHE CAPABILITY to display a large number of gray
292 JOURNAL OF DISPLAY TECHNOLOGY, VOL. 2, NO. 3, SEPTEMBER 2006 Integer Wavelets for Displaying Gray Shades in RMS Responding Displays T. N. Ruckmongathan, U. Manasa, R. Nethravathi, and A. R. Shashidhara
More informationISSN (Print) Original Research Article. Coimbatore, Tamil Nadu, India
Scholars Journal of Engineering and Technology (SJET) Sch. J. Eng. Tech., 016; 4(1):1-5 Scholars Academic and Scientific Publisher (An International Publisher for Academic and Scientific Resources) www.saspublisher.com
More informationFault Analysis of Stream Ciphers
Fault Analysis of Stream Ciphers M.Sc. Thesis Ya akov Hoch yaakov.hoch@weizmann.ac.il Advisor: Adi Shamir Weizmann Institute of Science Rehovot 76100, Israel Abstract A fault attack is a powerful cryptanalytic
More informationComparative Analysis of Stein s. and Euclid s Algorithm with BIST for GCD Computations. 1. Introduction
IJCSN International Journal of Computer Science and Network, Vol 2, Issue 1, 2013 97 Comparative Analysis of Stein s and Euclid s Algorithm with BIST for GCD Computations 1 Sachin D.Kohale, 2 Ratnaprabha
More informationMPEG has been established as an international standard
1100 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY, VOL. 9, NO. 7, OCTOBER 1999 Fast Extraction of Spatially Reduced Image Sequences from MPEG-2 Compressed Video Junehwa Song, Member,
More informationLFSR stream cipher RC4. Stream cipher. Stream Cipher
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 89 Stream Cipher Suppose you want to encrypt a stream of data, such as: the data from a keyboard the data from a sensor Block ciphers
More information1360 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 59, NO. 3, MARCH Optimal Encoding for Discrete Degraded Broadcast Channels
1360 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 59, NO 3, MARCH 2013 Optimal Encoding for Discrete Degraded Broadcast Channels Bike Xie, Thomas A Courtade, Member, IEEE, Richard D Wesel, SeniorMember,
More informationPhysical Layer Built-in Security Enhancement of DS-CDMA Systems Using Secure Block Interleaving
transmitted signal. CDMA signals can easily be hidden within the noise floor, and it is impossible to recover the desired user s signal without knowing both the user s spreading code and scrambling sequence.
More informationTITLE OF CHAPTER FOR PD FCCS MONOGRAPHY: EXAMPLE WITH INSTRUCTIONS
TITLE OF CHAPTER FOR PD FCCS MONOGRAPHY: EXAMPLE WITH INSTRUCTIONS Danuta RUTKOWSKA 1,2, Krzysztof PRZYBYSZEWSKI 3 1 Department of Computer Engineering, Częstochowa University of Technology, Częstochowa,
More informationVLSI System Testing. BIST Motivation
ECE 538 VLSI System Testing Krish Chakrabarty Built-In Self-Test (BIST): ECE 538 Krish Chakrabarty BIST Motivation Useful for field test and diagnosis (less expensive than a local automatic test equipment)
More informationKey-based scrambling for secure image communication
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2012 Key-based scrambling for secure image communication
More informationSegmented Leap-Ahead LFSR Architecture for Uniform Random Number Generator
, pp.233-242 http://dx.doi.org/10.14257/ijseia.2013.7.5.21 Segmented Leap-Ahead LFSR Architecture for Uniform Random Number Generator Je-Hoon Lee 1 and Seong Kun Kim 2 1 Div. of Electronics, Information
More informationPhysical Layer Built-in Security Analysis and Enhancement of CDMA Systems
Physical Layer Built-in Security Analysis and Enhancement of CDMA Systems Tongtong Li Jian Ren Qi Ling Weiguo Liang Department of Electrical & Computer Engineering, Michigan State University, East Lansing,
More informationV.Sorge/E.Ritter, Handout 5
06-20008 Cryptography The University of Birmingham Autumn Semester 2015 School of Computer Science V.Sorge/E.Ritter, 2015 Handout 5 Summary of this handout: Stream Ciphers RC4 Linear Feedback Shift Registers
More informationDIGITAL ELECTRONICS & it0203 Semester 3
DIGITAL ELECTRONICS & it0203 Semester 3 P.Rajasekar & C.M.T.Karthigeyan Asst.Professor SRM University, Kattankulathur School of Computing, Department of IT 8/22/20 Disclaimer The contents of the slides
More informationNew Address Shift Linear Feedback Shift Register Generator
New Address Shift Linear Feedback Shift Register Generator Kholood J. Moulood Department of Mathematical, Tikrit University, College of Education for Women, Salahdin. E-mail: khmsc2006@yahoo.com. Abstract
More informationCSE 101. Algorithm Design and Analysis Miles Jones Office 4208 CSE Building Lecture 9: Greedy
CSE 101 Algorithm Design and Analysis Miles Jones mej016@eng.ucsd.edu Office 4208 CSE Building Lecture 9: Greedy GENERAL PROBLEM SOLVING In general, when you try to solve a problem, you are trying to find
More informationA Functional Representation of Fuzzy Preferences
Forthcoming on Theoretical Economics Letters A Functional Representation of Fuzzy Preferences Susheng Wang 1 October 2016 Abstract: This paper defines a well-behaved fuzzy order and finds a simple functional
More informationAtomic-AES v2.0.
Atomic-AES v2.0 Subhadeep Banik 1, Andrey Bogdanov 2 and Francesco Regazzoni 3 1 Temasek Labs, Nanyang Technological University, Singapore bsubhadeep@ntu.edu.sg 2 DTU Compute, Technical University of Denmark,
More informationALONG with the progressive device scaling, semiconductor
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 57, NO. 4, APRIL 2010 285 LUT Optimization for Memory-Based Computation Pramod Kumar Meher, Senior Member, IEEE Abstract Recently, we
More informationA Hardware Oriented Method to Generate and Evaluate Nonlinear Interleaved Sequences with Desired properties
A Hardware Oriented Method to Generate and Evaluate Nonlinear Interleaved Sequences with Desired properties Quynh Le Chi 1 Cuong Nguyen Le 2 Thang Pham Xuan 2 1. Van Lang University, 45 Tran Khac Nhu,
More informationSecurity Assessment of TUAK Algorithm Set
Security Assessment of TUAK Algorithm Set PROJECT REPORT by Guang Gong, Kalikinkar Mandal, Yin Tan, Teng Wu { ggong, kmandal, yin.tan, teng.wu }@uwaterloo.ca Communications Security Lab Department of Electrical
More informationMusic and Mathematics: On Symmetry
Music and Mathematics: On Symmetry Monday, February 11th, 2019 Introduction What role does symmetry play in aesthetics? Is symmetrical art more beautiful than asymmetrical art? Is music that contains symmetries
More informationAttacking of Stream Cipher Systems Using a Genetic Algorithm
Attacking of Stream Cipher Systems Using a Genetic Algorithm Hameed A. Younis (1) Wasan S. Awad (2) Ali A. Abd (3) (1) Department of Computer Science/ College of Science/ University of Basrah (2) Department
More informationDesign for Test. Design for test (DFT) refers to those design techniques that make test generation and test application cost-effective.
Design for Test Definition: Design for test (DFT) refers to those design techniques that make test generation and test application cost-effective. Types: Design for Testability Enhanced access Built-In
More informationHigh-Speed Hybrid Ring Generator Design Providing Maximum-Length Sequences with Low Hardware Cost
Technical Report High-Speed Hybrid Ring Generator Design Providing Maximum-Length Sequences with Low Hardware Cost Laung-Terng Wang, Nur A. Touba, Richard P. Brent, Hui Wang, and Hui Xu UT-CERC-- October,
More informationCryptography CS 555. Topic 5: Pseudorandomness and Stream Ciphers. CS555 Spring 2012/Topic 5 1
Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers CS555 Spring 2012/Topic 5 1 Outline and Readings Outline Stream ciphers LFSR RC4 Pseudorandomness Readings: Katz and Lindell: 3.3, 3.4.1
More informationPiya Pal. California Institute of Technology, Pasadena, CA GPA: 4.2/4.0 Advisor: Prof. P. P. Vaidyanathan
Piya Pal 1200 E. California Blvd MC 136-93 Pasadena, CA 91125 Tel: 626-379-0118 E-mail: piyapal@caltech.edu http://www.systems.caltech.edu/~piyapal/ Education Ph.D. in Electrical Engineering Sep. 2007
More informationEmbedding Multilevel Image Encryption in the LAR Codec
Embedding Multilevel Image Encryption in the LAR Codec Jean Motsch, Olivier Déforges, Marie Babel To cite this version: Jean Motsch, Olivier Déforges, Marie Babel. Embedding Multilevel Image Encryption
More informationLFSR Counter Implementation in CMOS VLSI
LFSR Counter Implementation in CMOS VLSI Doshi N. A., Dhobale S. B., and Kakade S. R. Abstract As chip manufacturing technology is suddenly on the threshold of major evaluation, which shrinks chip in size
More informationTEST PATTERNS COMPRESSION TECHNIQUES BASED ON SAT SOLVING FOR SCAN-BASED DIGITAL CIRCUITS
TEST PATTERNS COMPRESSION TECHNIQUES BASED ON SAT SOLVING FOR SCAN-BASED DIGITAL CIRCUITS Jiří Balcárek Informatics and Computer Science, 1-st class, full-time study Supervisor: Ing. Jan Schmidt, Ph.D.,
More informationA Pseudorandom Binary Generator Based on Chaotic Linear Feedback Shift Register
A Pseudorandom Binary Generator Based on Chaotic Linear Feedback Shift Register Saad Muhi Falih Department of Computer Technical Engineering Islamic University College Al Najaf al Ashraf, Iraq saadmuheyfalh@gmail.com
More informationRESEARCH OF FRAME SYNCHRONIZATION TECHNOLOGY BASED ON PERFECT PUNCTURED BINARY SEQUENCE PAIRS
Research Rev. Adv. Mater. of frame Sci. synchronization 33 (2013) 261-265 technology based on perfect punctured binary sequence pairs 261 RESEARCH OF FRAME SYNCHRONIZATION TECHNOLOGY BASED ON PERFECT PUNCTURED
More informationDigital Circuits. Electrical & Computer Engineering Department (ECED) Course Notes ECED2200. ECED2200 Digital Circuits Notes 2012 Dalhousie University
1 Digital Circuits Electrical & Computer Engineering Department (ECED) Course Notes ECED2200 2 Table of Contents Digital Circuits... 7 Logic Gates... 8 AND Gate... 8 OR Gate... 9 NOT Gate... 10 NOR Gate...
More informationA Very Compact FPGA Implementation of LED and PHOTON
A Very Compact FPGA Implementation of LED and PHOTON N. Nalla Anandakumar 1,2, Thomas Peyrin 1 and Axel Poschmann 1,3 1 Division of Mathematical Sciences, School of Physical and Mathematical Science, Nanyang
More information854 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I: REGULAR PAPERS, VOL. 62, NO. 3, MARCH 2015
854 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I: REGULAR PAPERS, VOL. 62, NO. 3, MARCH 2015 Efficient Subquadratic Space Complexity Architectures Parallel MPB Single- and Double-Multiplications All Trinomials
More informationHardware Implementation of Viterbi Decoder for Wireless Applications
Hardware Implementation of Viterbi Decoder for Wireless Applications Bhupendra Singh 1, Sanjeev Agarwal 2 and Tarun Varma 3 Deptt. of Electronics and Communication Engineering, 1 Amity School of Engineering
More informationDevelopment of Simple-Matrix LCD Module for Motion Picture
Development of Simple-Matrix LCD Module for Motion Picture Kunihiko Yamamoto* Shinya Takahashi* Kouki Taniguchi* * A1203 Project Team Abstract A simple-matrix LCD module (12.1-in. SVGA) has been developed
More informationTesting of Cryptographic Hardware
Testing of Cryptographic Hardware Presented by: Debdeep Mukhopadhyay Dept of Computer Science and Engineering, Indian Institute of Technology Madras Motivation Behind the Work VLSI of Cryptosystems have
More informationOMS Based LUT Optimization
International Journal of Advanced Education and Research ISSN: 2455-5746, Impact Factor: RJIF 5.34 www.newresearchjournal.com/education Volume 1; Issue 5; May 2016; Page No. 11-15 OMS Based LUT Optimization
More informationModified Generalized Integrated Interleaved Codes for Local Erasure Recovery
Modified Generalized Integrated Interleaved Codes for Local Erasure Recovery Xinmiao Zhang Dept. of Electrical and Computer Engineering The Ohio State University Outline Traditional failure recovery schemes
More informationNUMB3RS Activity: Coded Messages. Episode: The Mole
Teacher Page 1 : Coded Messages Topic: Inverse Matrices Grade Level: 10-11 Objective: Students will learn how to apply inverse matrix multiplication to the coding of values. Time: 15 minutes Materials:
More informationDesign of Memory Based Implementation Using LUT Multiplier
Design of Memory Based Implementation Using LUT Multiplier Charan Kumar.k 1, S. Vikrama Narasimha Reddy 2, Neelima Koppala 3 1,2 M.Tech(VLSI) Student, 3 Assistant Professor, ECE Department, Sree Vidyanikethan
More informationPerformance Evaluation of Stream Ciphers on Large Databases
IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.9, September 28 285 Performance Evaluation of Stream Ciphers on Large Databases Dr.M.Sikandar Hayat Khiyal Aihab Khan Saria
More informationIN 1968, Anderson [6] proposed a memory structure named
IEEE TRANSACTIONS ON NEURAL NETWORKS, VOL 16, NO 2, MARCH 2005 293 Encoding Strategy for Maximum Noise Tolerance Bidirectional Associative Memory Dan Shen Jose B Cruz, Jr, Life Fellow, IEEE Abstract In
More informationSTA4000 Report Decrypting Classical Cipher Text Using Markov Chain Monte Carlo
STA4000 Report Decrypting Classical Cipher Text Using Markov Chain Monte Carlo Jian Chen Supervisor: Professor Jeffrey S. Rosenthal May 12, 2010 Abstract In this paper, we present the use of Markov Chain
More informationImproving Performance in Neural Networks Using a Boosting Algorithm
- Improving Performance in Neural Networks Using a Boosting Algorithm Harris Drucker AT&T Bell Laboratories Holmdel, NJ 07733 Robert Schapire AT&T Bell Laboratories Murray Hill, NJ 07974 Patrice Simard
More informationApplication of Symbol Avoidance in Reed-Solomon Codes to Improve their Synchronization
Application of Symbol Avoidance in Reed-Solomon Codes to Improve their Synchronization Thokozani Shongwe Department of Electrical and Electronic Engineering Science, University of Johannesburg, P.O. Box
More informationOn the Optimal Compressions in the Compress-and-Forward Relay Schemes
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 59, NO. 5, MAY 2013 2613 On the Optimal Compressions in the Compress--Forward Relay Schemes Xiugang Wu, Student Member, IEEE, Liang-Liang Xie, Senior Member,
More informationPermutations of the Octagon: An Aesthetic-Mathematical Dialectic
Proceedings of Bridges 2015: Mathematics, Music, Art, Architecture, Culture Permutations of the Octagon: An Aesthetic-Mathematical Dialectic James Mai School of Art / Campus Box 5620 Illinois State University
More informationAn Efficient Low Bit-Rate Video-Coding Algorithm Focusing on Moving Regions
1128 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY, VOL. 11, NO. 10, OCTOBER 2001 An Efficient Low Bit-Rate Video-Coding Algorithm Focusing on Moving Regions Kwok-Wai Wong, Kin-Man Lam,
More informationRoute optimization using Hungarian method combined with Dijkstra's in home health care services
Research Journal of Computer and Information Technology Sciences ISSN 2320 6527 Route optimization using Hungarian method combined with Dijkstra's method in home health care services Abstract Monika Sharma
More informationdata and is used in digital networks and storage devices. CRC s are easy to implement in binary
Introduction Cyclic redundancy check (CRC) is an error detecting code designed to detect changes in transmitted data and is used in digital networks and storage devices. CRC s are easy to implement in
More informationBeepBeep: Embedded Real-Time Encryption
BeepBeep: Embedded Real-Time Encryption Kevin Driscoll Honeywell Laboratories, 3660 Technology Drive, Minneapolis, MN 55418, USA kevin.driscoll@honeywell.com Abstract. The BeepBeep algorithm is designed
More informationDepartment of CSIT. Class: B.SC Semester: II Year: 2013 Paper Title: Introduction to logics of Computer Max Marks: 30
Department of CSIT Class: B.SC Semester: II Year: 2013 Paper Title: Introduction to logics of Computer Max Marks: 30 Section A: (All 10 questions compulsory) 10X1=10 Very Short Answer Questions: Write
More informationWATERMARKING USING DECIMAL SEQUENCES. Navneet Mandhani and Subhash Kak
Cryptologia, volume 29, January 2005 WATERMARKING USING DECIMAL SEQUENCES Navneet Mandhani and Subhash Kak ADDRESS: Department of Electrical and Computer Engineering, Louisiana State University, Baton
More information